lessons 5-9

Question 1

Targeted attack

Answer 1

is when a threat actor chooses a target for a specific objective. The choice of the target is influenced by the perceived value of the outcome

Question 2

Opportunistic attack

Answer 2

is when a threat actor takes advantage of a vulnerable target (not previously knowing them). the choice of target is generally influenced by work factors (Time effort and resources to accomplish a task)

Question 3

Hacktivist

Answer 3

threat actor making a Political statement, generally talented. Funding variable

Question 4

Organized crime (cyber criminals)

Answer 4

out to make money, well organized, well funded

Question 5

Insiders | Shadow IT

Answer 5

someone at the organization that’s disgruntled

Question 6

Script Kiddies

Answer 6

threat actor that does it for bragging rights or notoriety. Low level of sophistication

Question 7

Hackers

Answer 7

financial gain, notoriety. Generally talented

Question 8

NON-ADVERSARIAL THREATS

Answer 8

1. Natural: natural occurrences such as earthquakes, floods, fire, pollutants, pandemics
2. Operational: Loss of service like electricity, HVAC, technical issues, com, failure
3. Human: Accidents, civil disturbances, work stoppages.

Question 9

Threat Modeling

Answer 9

Is a structured process by which potential threats and threat actors can be identified, enumerated, and prioritized.

Question 10

Asset-centric

Answer 10

What/why. Identifies valued assets and motivation

Question 11

Architecture-centric

Answer 11

How. identifies system design components, strengths, and weaknesses.

Question 12

Attacker-centric

Answer 12

Who- identifies the adversaries.

Question 13

THREAT INTELLIGENCE

Answer 13

evidence-based knowledge about emerging threats that can be used to inform control decisions

Question 14

OSINT - OPEN SOURCE INTELLIGENCE

Answer 14

is a term used to refer to the data collected from publicly available sources to be used in an intelligence context. OSINT framework is a structured collection of OSINT tools.

Question 15

CISA

Answer 15

America’s cyber defense agency- resources, visit on a regular basis!

Question 16

THREAT VECTOR

Answer 16

Also known as an attack vector is a potential pathway, or scenario that can be exploited
*Common threat vectors include: malicious emails in phishing attacks, weak or stolen passwords, drive-by download attacks, web applications, out of date applications or devices, and trusted relationships

Question 17

attack surface

Answer 17

is the sum of all threat vectors.

Question 18

DEFAULT CREDENTIALS

Answer 18

*Issue- initially set up by the vendor. Built-in admin username and password
*Impact- unauthorized access and compromise. Pathways to pivot to other devices- a quick Google search will usually reveal default credentials for a specific product.
*Causes- convenience, forgetfulness, laziness
*Response- change or disable the default credentials

Question 19

WEAK PERMISSIONS

Answer 19

• Issue- are those that allow for unnecessary access (device, cloud, application)
• Impact- unauthorized access, access violations, privacy violations
• Causes- lack of understanding, poor classification, overconfidence.
• Response- documented policies and procedures. Management education, config. Management and standards

Question 20

DATA EXFILTRATION

Answer 20

the unauthorized transfer of data from a computer or network, typically carried out by cyber attackers to steal sensitive information such as personal data, financial records, or intellectual property.

Question 21

OPEN SOURCE PORTS

Answer 21

network ports that are actively listening for incoming connections and are accessible from outside the network.
* Issue- ports are those in listening mode
* Impact- exposure, potential exploit, unauthorized access, denial of service, integrity of device management
* Causes- poor or nonexistent config. Management, unrestricted permission to install a device or software
* Response- Config. Management, ongoing system hardening, account restrictions

Question 22

UNSUPPORTED SYSTEMS & SOFTWARE

Answer 22

*Issue- 2 issues: unauthorized installation of devices/software OR end of life (EOL)/ end of support (EOS)
* Impact- exploits, compatibility issues, unauthorized access.
* Causes- lack of centralized control, and local admin privileges. Absence of refresh policies and lack of understanding.
* Response- refresh policies and standards, resource management, budget allocation

Question 23

THIRD-PARTY THREAT VECTORS

Answer 23

include vendors, managed service providers (MSPs), business partners, consultants, and contractors that in some interact with our organization data

Question 24

Fourth-parties

Answer 24

are vendors that third-party sources through- these manifest as risks to the organization

Question 25

supply chain

Answer 25

an entire ecosystem or organizations, processes, people, and resources involved in providing a product or service

Question 26

END OF LIFE

Answer 26

EOL: the date when the product, or service of subscription is determined to be obsolete.

Question 27

END OF SUPPORT

Answer 27

EOS: the last date to receive applicable service and support

Question 28

EOL | EOS RISKS

Answer 28

Why can’t we just keep using the hardware?
Adversaries will continue to identify and exploit vulnerabilities
Exposure to litigation for not upholding the standard or due care
Risk of downtime due to lack of support
Incompatibility with newer OS, applications, and hardware.

Question 29

service level agreements (SLA)

Answer 29

a contract between a service provider and a customer that outlines the expected level of service, including specific performance standards and responsibilities.

Question 30

SYSTEM SPRAWL

Answer 30

the uncontrolled growth and spread of IT systems and resources within an organization, making them difficult to manage and secure.

Question 31

non conformance

Answer 31

a situation where products, processes, or services fail to meet specified standards, requirements, or regulations, resulting in deviations from expected quality or performance.

Question 32

ISA

Answer 32

Information Sharing and Analysis. the sharing of information and analysis related to cybersecurity threats and vulnerabilities among organizations to improve the overall security posture of the supply chain.

Question 33

Social Engineering

Answer 33

Is the action of exploiting human nature rather than technical hacking techniques to gain access to minds, systems, data or building

Question 34

Pretexts

Answer 34

are fabricated stories or scenarios used to conceal the true purpose of an activity. Pretexts generally use enough truth to make them appear plausible.

Question 35

Impersonation

Answer 35

is an act of pretending to be someone else.

Question 36

Phishing-

Answer 36

pretexting and impersonation using email, casting a wide net. Spear phishing targets a specific group or individual, whaling targets high-profile individuals.

Question 37

SMAshing

Answer 37

pretexting and impersonation using texts.

Question 38

Vishing

Answer 38

pretexting and impersonation using voice

Question 39

Watering Hole-

Answer 39

describes the exploitation of a website or social media app that is frequented by the target. (making fake profiles to target you on Facebook, and Instagram)

Question 40

Shoulder Surfing

Answer 40

covert observation nearby or remote

Question 41

Piggybacking/ Tailgating

Answer 41

when an unauthorized person enters a checkpoint close behind, or in concert with authorized personnel

Question 42

Dumpster diving

Answer 42

the act or going through trash for information

Question 43

Baiting

Answer 43

the use of a gift for infiltration. (like a USB drive)

Question 44

Disinformation-

Answer 44

false or misleading information spread on purpose to deceive.

Question 45

Shallow fake

Answer 45

the alteration of media content using simple video editing software

Question 46

Deep fake-

Answer 46

the use of machine learning and or AI to manipulate or generate deceptive audio or video content.

Question 47

Ethical disclosure

Answer 47

is the practice of publishing information related to a vulnerability or finding. The purpose is to inform others of potential risks so they can make informed decisions and take appropriate action.

Question 48

Full disclosure

Answer 48

is making all details public without regard to additional harm that may be caused to others including exploitation by adversaries.

Question 49

Responsible disclosure

Answer 49

is making enough information known so that informed decisions can be made while not releasing details that could be useful to an adversary.

Question 50

VULNERABILITY MANAGEMENT

Answer 50

the process of identifying, assessing, reporting, prioritizing,and mitigating vulnerabilities.

Question 51

zero day (0-day) vulnerability

Answer 51

is a flaw in hardware or software that has been discovered but a fix is not yet available.

Question 52

window of vulnerability (WoV)

Answer 52

The time from when an exploit first becomes active to when the number of vulnerable systems shrinks to an insignificant number

Question 53

Escalation

Answer 53

access to a protected area

Question 54

Buffer overflow

Answer 54

a buffer overflow is a type of software bug where a program writes more data to a block of memory, or buffer than it is supposed to hold, causing the excess data to overwrite adjacent memory. This can lead to crashes, data corruption, or give attackers a way to exploit the system.

Question 55

Memory leak

Answer 55

when a program fails to release memory that is no longer needed, causing it to consume more and more memory over time. This can eventually slow down the system or cause it to run out of memory and crash.

Question 56

Race condition

Answer 56

is a flaw that produces an unexpected result when the timing of actions impact other actions

Question 57

Time-of- check- TOC

Answer 57

is when a program checks the state of a resource and then uses that info to make a decision.

Question 58

Time-of-evaluation- TOE

Answer 58

is when a program relies on the timing of events concurrently or in a specific order

Question 59

Time-of-use- TOU

Answer 59

is when the state of a resource changes between TOC and YOU often because of a concurrent thread.

Question 60

Injection-

Answer 60

is the insertion of code or commands by exploiting input validation or processing mechanisms

Question 61

Directory Traversal

Answer 61

the ability to access files and directories outside of the intended directory

Question 62

Privileged escalation

Answer 62

gaining elevated access to resources that are normally protected from an application or a user.

Question 63

Side-channel

Answer 63

a weakness in the physical properties of a device. Like power consumption or electromagnetic radiation that can be used to extract sensitive information.

Question 64

Sideloading

Answer 64

installing and running software on a mobile device from a source other than the app store

Question 65

Jailbreaking

Answer 65

bypassing the security restrictions on a mobile device to gain greater control and access to the device’s OS and files.

Question 66

Indicators of Attacks (IoAs)

Answer 66

behaviors or actions suggest an attack that is happening or about to happen- IoAs are proactive

Question 67

Indicators of Compromise (IoCs)

Answer 67

are evidence that a system may have been compromised- IoCs are reactive

Question 68

CYBER KILL CHAIN

Answer 68

Is a framework developed by Lockheed Martin that explains how attackers move through networks to identify vulnerabilities that they can then exploit.
recon- weaponization-delievery-exploit-installation-commande and control(C2)- action on objectives

Question 69

COMMON INDICATORS OF ATTACK (IoA)

Answer 69

Unusual network traffic- could be indicative of communication with a C&C server, data exfiltration or recon activity
Phishing emails- an increase in volume could be an indicator of an attack
Unusual system events- such as errors, warnings, crashes, account lockouts, missing system logs and anomalies in admin activity can be indicators of an attack
Unauthorized software- The presence of unauthorized software, files, or unapproved devices on a network can be an indicator of an attack

Question 70

Artifacts

Answer 70

are evidence or clues
*Typical artifacts left behind by an attacker include new user accounts, file hashes, virus signatures, malicious files, command and control connections, modification of system and registry settings, evidence of data exfiltration, and patterns of suspicious behavior.

Question 71

Malware

Answer 71

malicious software
*It is used by hackers, cybercriminals, hacktivists, and cyber terrorists to either steal information, harm, or disrupt operations, extort and or weaponize devices

Question 72

rootkit

Answer 72

a type of malicious software designed to gain unauthorized access to a computer system and hide its presence, allowing an attacker to maintain control over the system without being detected.

Question 73

types of rootkits

Answer 73

*Firmware- override the firmware BIOS so the rootkit can start before the OS.
*Bootkit- replaces the OS bootloader (the small piece of software that starts the OS) so that the PC loads the bootkit before the OS.
*Kernel- replace the portion of the operating system kernel so the rootkit can start automatically when the OS loads.
*Driver- impersonates a trust driver that the os uses to communicate with the hardware ( addresses by UEFI and Driver attestation)

Question 74

Stealth (malware technique)

Answer 74

is designed to be inconspicuous in order to avoid detection by concealing file size or moving to an alternate location

Question 75

Memory resident (malware technique)

Answer 75

stays resident in memory upon execution and can infect other programs running at the same time.

Question 76

Metamorphic (malware technique)

Answer 76

is rewritten with each iteration so that each succeeding version of the code is different from the preceding program

Question 77

Polymorphic (malware technique)

Answer 77

evades pattern-matching detection by frequently changing identifiable characteristics like file name, type or encryption keys

Question 78

Command and control (C2)

Answer 78

the objective for C2 is for the compromised system to contact the command center which gives the attacker control of the infected device

Question 79

Advanced persistent threat (APT)

Answer 79

sophisticated, slow, stealthy and prolonged attack on a specific target with the intention to compromise their system and gain information from or about that target

Question 80

Bot | Zombie

Answer 80

are automated processes that either have instructions embedded or listen for instructions

Question 81

Ransomware

Answer 81

encrypts files and demands ransom for the decryption key

Question 82

Bloatware

Answer 82

unwanted and potentially harmful software preloaded onto new devices. Also known as potentially unwanted application (PUAs)

Question 83

backdoors

Answer 83

code embedded in an application by the developer, backdoors (bypass control)

Question 84

logic bombs

Answer 84

code embedded in an application by the developer, executes when a certain event or time occurs

Question 85

brute force

Answer 85

a hacking method where an attacker tries all possible combinations of passwords or encryption keys until they find the correct one, to gain unauthorized access to a system.

Question 86

Work Factor

Answer 86

is the estimate of time, effort and resources needed by an adversary to succeed.

Question 87

Conduct-BRUTE FORCE APPROACHES

Answer 87

the payload of the attack is the conduct of the attack itself- denial of service attack

Question 88

Discovery -BRUTE FORCE APPROACHES

Answer 88

the payload of the attack is used to discover a hidden secret- discovering a password

Question 89

Rainbow table-

Answer 89

uses a precomputed table of hashes to find the original plaintext- password cracking

Question 90

intrusion prevention systems (IPS)

Answer 90

a security tool designed to detect and block malicious activities and attacks on a network or system in real-time

Question 91

Information technology (IT) infrastructure attack

Answer 91

are primarily concerned with managing data and information assets

Question 92

operational technology OT infrastructure attack

Answer 92

s focused on the use of hardware and software systems to monitor and control physical processes in industrial settings. For example, a manufacturing plant or transportation system.

Question 93

CYBER ATTACK TERMS

Answer 93

1. Targeted- Choose a target for a specific objective
2. Opportunistic- the attacker takes advantage of a weak target
3. Amplification- uses an amplification factor in order to multiply its power- use of botnets to launch DDoS attacks or spam campaigns.
4. Reflection- sends a large number of requests to a device with the victim’s IP address as the source address. Often used with amplification attacks.

Question 94

Spoofing

Answer 94

is impersonating an address, system or person- enables an attacker to act as the trusted source and redirect or manipulate actions

Question 95

Poisoning

Answer 95

manipulating the trusted source of data- enables the attacker to control the trusted source of data and redirect or manipulate actions

Question 96

Hijacking

Answer 96

intercepting communication between two or more systems- enables the attacker to eavesdrop, capture, manipulate, or reuse data packets.

Question 97

Denial of service

Answer 97

overwhelming system resources- enables the attacker to make services unavailable for their intended use.

Question 98

Distributed denial of service DDoS

Answer 98

massive volume of service requests from multiple sources, and often uses amplification and reflection techniques.

Question 99

URL Squatting

Answer 99

registering or using an internet domain name belonging to someone else

Question 100

Typosquatting

Answer 100

taking advantage of common typos to create fraudulent domain

Question 101

Input validation

Answer 101

is the process of properly validating input from the client or environment

Question 102

Output validation

Answer 102

is used to control what is returned to the screen

Question 103

Injection- (application attack)

Answer 103

Tricks an app to include unintended commands in the data sent to an interpreter.

Question 104

Cross-site scripting (XSS)

Answer 104

the injection of malicious code into a web application or back end database that will execute scripts in a victim browser. Can be persistent and reflective

Question 105

Cross-site request forgery (CSRF)

Answer 105

trick a web browser into executing a malicious action on a trusted site for which the user is currently authenticated. CSRF exploits the trust that a site has in a user’s browser.

Question 106

Directory Traversal

Answer 106

uses specially crafted input that includes …/ sequences to traverse a directory and access files or directories outside of the intended scope.

Question 107

SQLi ATTACK

Answer 107

a type of cyber attack where an attacker inserts malicious SQL code into a query input to manipulate a database, potentially gaining unauthorized access to sensitive data or altering the database’s content and behavior.

Question 108

WIRELESS ATTACK

Answer 108

The objective is the disruption, manipulation, or compromise of wireless transmission or devices

Question 109

Sniffing-

Answer 109

Capturing wireless data packets. Enables an attacker to eavesdrop, manipulate or reuse data packets

Question 110

Bluejacking

Answer 110

allows an attacker to send an unsolicited message to a bluetooth device

Question 111

Bluesnarfing

Answer 111

discovering and connecting to a bluetooth device with weak or nonexistent authentication requirements.

Question 112

NFC (near field communication) Bump

Answer 112

enables an NFC-enables attacker to connect to an NFC device by being in close enough range.

Question 113

Evil twin (rogue access point w/ the same SSID)

Answer 113

allows an attacker to trick a user into connecting to an attacker-controlled network. May also impersonate a captive portal to capture credentials or payment info.

Question 114

RFID cloning

Answer 114

allows the attacker to access a system, engage in credit card fraud, remove inventory, or whatever else the RFID chip is used for.

Question 115

802.11

Answer 115

a set of standards for wireless networking (Wi-Fi) that defines how devices communicate over wireless networks

Question 116

IV Attack

Answer 116

is a type of cryptographic attack that exploits weaknesses in the initialization vector

Question 117

Jamming

Answer 117

overwhelming wireless frequencies with illegitimate traffic and the frequency becomes unavailable for legit traffic.

Question 118

Dissociation

Answer 118

spoofing a disassociate message, which forces a device to reassociate, device is continually knocked offline, can be used as a precursor to an evil twin attack

Question 119

cryptanalysis

Answer 119

The process of finding a cryptographic weakness

Question 120

DOWNGRADE ATTACK

Answer 120

A type of attack on a system that forces degradation to a lower quality crypto mode. The attacker then exploits the lesser security control

Question 121

SIDE CHANNEL ATTACK

Answer 121

Is any attack based on information gained from the implementation of a computer system, rather than weaknesses in the implemented algorithm itself.

Question 122

Timing attack

Answer 122

exploits the fact that different computations take different times to compute on the processor. For example, if the encryption takes a longer time, it indicates that the secret key is long.

Question 123

Dictionary

Answer 123

list of known keys are tested, common wordlists

Question 124

Frequency analysis

Answer 124

analyzes patterns of frequencies in encrypted messages to deduce info about the underlying plaintext or key used to encrypt the message.

Question 125

Birthday

Answer 125

exploits the mathematics behind the birthday problem is probability theory to cause a collision

Question 126

Pass-the-hash

Answer 126

attackers can use captured hashed credentials from one machine to successfully gain control of another machine

Question 127

Survivability

Answer 127

a system property (the ability to prevent, mitigate, and recover from cyber events)

Question 128

open design

Answer 128

the security mechanism should not depend upon the security of the design or implementation. the argument against “security through obscurity”

Question 129

default deny

Answer 129

is a security policy where all access is denied by default, and only explicitly allowed traffic or actions are permitted.

Question 130

sanitization

Answer 130

the process of cleaning or modifying input data to remove or neutralize potentially harmful elements, ensuring it is safe for processing and preventing security vulnerabilities like SQL injection or cross-site scripting (XSS).

Question 131

zero trust

Answer 131

no default trust or privilege. verification is required for access

Question 132

least functionality

Answer 132

a security principle that dictates systems should be configured to provide only the minimum functions necessary for their intended purpose, reducing the risk of exploitation by limiting potential attack surfaces.

Question 133

separation of deuties

Answer 133

breaking a task into segments so that no one subject is in complete control or has complete decision-making power.

Question 134

least privilege

Answer 134

giving a subject only rights and permissions needed to complete assigned tasks

Question 135

psychological acceptance

Answer 135

human interface should be designed for ease of use so that users routinely and automatically apply the protection mechanisms correctly.

Question 136

Segmenting

Answer 136

an enterprise into security zones is useful for creating and enforcing security policies, controlling information flow, and securing network access.

Question 137

Security zone

Answer 137

are divisions of a network based on functional, performance, and or security requirements. They are enforced by firewall ingress and egress(incoming) access control lists (ACL) rules

Question 138

Untrusted

Answer 138

is one where the organization has no control over the internet

Question 139

Screened subnet

Answer 139

has connections to both trusted and untrusted networks

Question 140

Trusted

Answer 140

is one that the organization has complete control over.

Question 141

Enclave

Answer 141

a restricted network within a trusted network - database servers

Question 142

Air gapped

Answer 142

does not connect to any untrusted network

Question 143

Micro-segmentation

Answer 143

a method of creating zones within data centers and cloud environments to isolate workloads from one another and secure them individually.

Question 144

East-West-North-South traffic

Answer 144

north-south is the traffic that flows into and out of data centers or clouds, and east-west is the traffic within a data center or cloud.

Question 145

Protect Surface

Answer 145

made up of the network’s most critical and valuable data, assets, applications, and servers (DAAS). It’s always knowable

Question 146

Virtualization

Answer 146

creates multiple environments from a single physical hardware system- virtual machines provide fault and security isolation at the hardware level including memory and CPU access.